PCI DSS & Merchant Information

The Payment Card Industry Data Security Standard (PCI DSS) was created in 2006 by American Express, Discover, JCB International, MasterCard, and Visa Inc. The PCI Data Security Standard helps protect the safety of cardholder data. It sets the operational and technical requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions. Maintaining payment security is serious business. It is vital that every entity responsible for the security of cardholder data diligently follows the PCI Data Security Standard.

If you accept or process payment cards, the PCI DSS applies to you! The standard is made up of 6 Goals and 12 Requirements.

Texas State University must comply with the PCI DSS in order to accept payment cards. You may review the UPPS 03.01.05 for PCI DSS compliance. See resources and documentation below, to assist departments in complying with the PCI Standard.

Scroll down for requirements for APPROVED processing methods, and other helpful information.

Requirements

Departments accepting payment cards, as a form of payment, use one or more methods to process payments. Each processing method must comply with specific PCI DSS requirements. Each merchant department has an account manager and a primary contact. Some departments may also have a technical contact. Each year, merchant departments must complete and/or review and update the following items:

PCI DSS Department Procedure: Outlines how the department processes payment cards. Provides step by step instructions on best practices and how to maintain security for all merchants.

PCI DSS Employee List: Documents employees with payment card responsibilities and when they have completed the online training. Includes hire and terminations dates. Terminated employees should remain on the list for 2 assessment cycles.

PCI DSS Training: Completed annually by each employee with payment card processing responsibilities, including supervisors, and account managers. Positions can be flagged for the training, and renewal notifications sent prior to training expiration.

PCI DSS Device Inspection Log: Completed monthly on all devices capable of swiping or dipping a payment card. Devices are inspected for evidence of physical tampering.

eCommerce Only: If you only have eCommerce accounts through Marketplace, you will be asked to sign a document annually that serves as PCI DSS training, and an acknowlegement that you will follow the processes for eCommerce accounts.

These documents are collected and each department's compliance is assessed each year. Merchant account managers are required to sign off on the assessment questionnaire.

Training

All employees who handle credit card data or who supervise those who handle credit card data, including account managers, should complete the online training module in SAP called PCI Credit Card Compliance (found under Employee Information and Legal Issues). This training must be renewed on an annual basis. The following training items are supplemental to the online training.